Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on the notion of consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee.
What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.
Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. The Article 29 Working Party pointed to the 2010 opinion of the Advocate General in a case involving agricultural funds in Europe, in which the Advocate General held that a broad consent in the fund’s terms and conditions was not sufficiently precise to conclude that the beneficiary of the fund had given unambiguous consent to the publication of his or her name.
Another conclusion that we can draw from the guidelines is that silence or the failure to act can never be considered valid consent. The Article 29 Working Party heavily relies on the notion of "indication" of the data subject's wishes, which is featured in the definition of consent laid out by the 1995 Directive, to conclude that positive action would be required to demonstrate consent. Consequently the sending of an e-mail to a consumer informing him or her of changes to the privacy policy or stating that the processing of his/her data will be undertaken unless he/she objects within a defined period of time would not be sufficient to constitute the consumer’s consent to the new policy or the contemplated processing. The consent would have to be evidenced by an affirmative clicking of a box or any other relevant positive act. Similarly, the Article 29 Working Party states that browser settings in themselves cannot constitute valid consent. This raises questions in the context of the new European rules requiring prior consent to cookies. Some Member States are studying the extent to which browser settings can be used as a manifestation of prior consent to cookies.
The guidelines helpfully remind us also that consent can, in some cases, be implicit. For example, if an online merchant asks a consumer to provide personal information and the consumer provides it, the consumer will have implicitly consented to the merchant’s use of that information in order to process orders and deliver the goods and services ordered by the consumer. There is no need for a separate consent because the purpose for which the consumer provided the information is obviously to permit the merchant to provide the online goods and services and such processing is therefore reasonably expected by the consumer. On the other hand, if the merchant wishes to use the data for another purpose, such as selling behavioural advertising, a separate specific consent would be needed.
From a general and practical standpoint, implementing the rules as foreseen by the Article 29 Working Party will, in many instances, require companies to initiate a complete review of the conditions under which they use consent to evaluate whether other grounds are available to legitimize their processes and whether consents they have obtained present a sufficient level of granularity to provide accurate and satisfactory information for data subjects. For online service providers, European requirements for consent will lead necessarily to multiple pop-up windows and separate check-the-box consent options. The more granular and affirmative each consent is, the more likely it is to be valid. On the other hand, grouping all data protection consents together in the terms of use is likely to prove risky in light of the Article 29 Working Party guidelines and applicable case law.